Table Of Contents

Feature Licenses and Specifications

Security Appliance and ASDM Release Compatibility

Client PC Operating System and Browser Requirements

Supported Platforms and Feature Licenses

Security Services Module Support

VPN Specifications

Cisco VPN Client Support

Cisco Secure Desktop Support

Site-to-Site VPN Compatibility

Cryptographic Standards

Feature Licenses and Specifications

---

This appendix describes the feature licenses and specifications. This appendix includes the following sections:

•Security Appliance and ASDM Release Compatibility

•Client PC Operating System and Browser Requirements

•Supported Platforms and Feature Licenses

•Security Services Module Support

•VPN Specifications

Security Appliance and ASDM Release Compatibility

Table 1 shows the ASDM or PDM versions that can be used with each security appliance release.

Table 1 Security Appliance and ASDM /PDM Release Compatibility

Security Appliance Release	ASDM/PDM Version
8.0(x)	ASDM 6.0(x)
7.2(x)	ASDM 5.2(x)
7.1(x)	ASDM 5.1(x)
7.0(x)	ASDM 5.0(x)
PIX 6.3(x)	PDM 4.1(x)

Client PC Operating System and Browser Requirements

Table 2 lists the supported and recommended platforms for ASDM. While ASDM might work on other browsers and browser versions, these are the only officially supported browsers. Note that unlike earlier PDM versions, you must have Java installed. The native JVM on Windows is no longer supported and does not work.

Table 2 Operating System, Browser, and Java Requirements 

	Operating System	Browser with Java Applet	ASDM Launcher	Other Requirements
Windows1 Processor: Intel Pentium IV, AMD Athlon or equivalent Memory: Min. 512 MB RAM Display: Min. 1024x768 resolution and 256 colors	Windows 2000 (Service Pack 4) or Windows XP operating systems, English or Japanese	Internet Explorer 6.0 with Java Plug-in2 1.4.2 or 5.0 (1.5) Note HTTP 1.1—Settings for Internet Options > Advanced > HTTP 1.1 should use HTTP 1.1 for both proxy and non-proxy connections. Firefox 1.5 with Java Plug-in2 1.4.2 or 5.0 (1.5)	Java 1.4.2 or 5.0 (1.5)2	SSL Encryption Settings—All available encryption options are enabled for SSL in the browser preferences.
Sun SPARC Solaris Memory: Min. 512 MB RAM Display: Min. 1024x768 resolution and 256 colors	Sun Solaris 8 or 9	Firefox 1.5 with Java Plug-in2 1.4.2 or 5.0 (1.5)	Not available.
Linux Memory: Min. 256 MB RAM Display: Min. 1024x768 resolution and 256 colors	Red Hat Linux Desktop or Red Hat Linux Enterprise WS, Version 3 GNOME or KDE desktop environment	Firefox 1.5 with Java Plug-in2 1.4.2 or 5.0 (1.5)	Not available.

1 ASDM is not supported on Windows 3.1, 95, 98, ME or Windows NT4. 2 Download the latest Java from http://java.sun.com/.

Supported Platforms and Feature Licenses

This software version supports the following platforms; see the associated tables for the feature support for each model:

•ASA 5505, Table A-3

•ASA 5510, Table A-4

•ASA 5520, Table A-5

•ASA 5540, Table A-6

•ASA 5550, Table A-7

•PIX 515/515E, Table A-8

•PIX 525, Table A-9

•PIX 535, Table A-10

---

Note Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 Clientless SSL VPN license plus the GTP/GPRS license; or all four licenses together.

---

Table A-3 ASA 5505 Adaptive Security Appliance License Features 

ASA 5505	Base License						Security Plus
Users, concurrent1	10	Optional Licenses:					10	Optional Licenses:
		50	Unlimited					50	Unlimited
Security Contexts	No support						No support
VPN Sessions2	10 combined IPSec and Clientless SSL VPN						25 combined IPSec and Clientless SSL VPN
Max. IPSec Sessions	10						25
Max. Clientless SSL VPN Sessions	2	Optional License: 10					2	Optional License: 10
VPN Load Balancing	No support						No support
TLS Proxy for SIP and Skinny Inspection	Supported						Supported
Failover	No support						Active/Standby (no stateful failover)
GTP/GPRS	No support						No support
Maximum VLANs/Zones	3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone)						20
Maximum VLAN Trunks	No support						Unlimited
Concurrent Firewall Conns3	10 K						25 K
Max. Physical Interfaces	Unlimited, assigned to VLANs/zones						Unlimited, assigned to VLANs/zones
Encryption	Base (DES)		Optional license: Strong (3DES/AES)				Base (DES)		Optional license: Strong (3DES/AES)
Minimum RAM	256 MB (default)						256 MB (default)

1 In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits. 2 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 3 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.

Table A-4 ASA 5510 Adaptive Security Appliance License Features 

ASA 5510	Base License						Security Plus
Users, concurrent	Unlimited						Unlimited
Security Contexts	No support						2	Optional Licenses:
								5
VPN Sessions1	250 combined IPSec and Clientless SSL VPN						250 combined IPSec and Clientless SSL VPN
Max. IPSec Sessions	250						250
Max. Clientless SSL VPN Sessions	2	Optional Licenses:					2	Optional Licenses:
		10	25	50	100	250		10	25	50	100	250
VPN Load Balancing	No support						No support
TLS Proxy for SIP and Skinny Inspection	Supported						Supported
Failover	No support						Active/Standby or Active/Active
GTP/GPRS	No support						No support
Max. VLANs	50						100
Concurrent Firewall Conns2	50 K						130 K
Max. Physical Interfaces	Unlimited at Fast Ethernet speeds						Unlimited at Gigabit Ethernet speeds
Encryption	Base (DES)		Optional license: Strong (3DES/AES)				Base (DES)		Optional license: Strong (3DES/AES)
Min. RAM	256 MB (default)						256 MB (default)

1 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table A-5 ASA 5520 Adaptive Security Appliance License Features 

ASA 5520	Base License
Users, concurrent	Unlimited						Unlimited
Security Contexts	2	Optional Licenses:
		5	10	20
VPN Sessions1	750 combined IPSec and Clientless SSL VPN
Max. IPSec Sessions	750
Max. Clientless SSL VPN Sessions	2	Optional Licenses:
		10	25	50	100	250	500	750
VPN Load Balancing	Supported
TLS Proxy for SIP and Skinny Inspection	Supported
Failover	Active/Standby or Active/Active
GTP/GPRS	None		Optional license: Enabled
Max. VLANs	150
Concurrent Firewall Conns2	280 K
Max. Physical Interfaces	Unlimited
Encryption	Base (DES)		Optional license: Strong (3DES/AES)
Min. RAM	512 MB (default)

1 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table A-6 ASA 5540 Adaptive Security Appliance License Features 

ASA 5540	Base License
Users, concurrent	Unlimited						Unlimited
Security Contexts	2	Optional licenses:
		5	10	20	50
VPN Sessions1	5000 combined IPSec and Clientless SSL VPN
Max. IPSec Sessions	5000
Max. Clientless SSL VPN Sessions	2	Optional Licenses:
		10	25	50	100	250	500	750	1000	2500
VPN Load Balancing	Supported
TLS Proxy for SIP and Skinny Inspection	Supported
Failover	Active/Standby or Active/Active
GTP/GPRS	None		Optional license: Enabled
Max. VLANs	200
Concurrent Firewall Conns2	400 K
Max. Physical Interfaces	Unlimited
Encryption	Base (DES)		Optional license: Strong (3DES/AES)
Min. RAM	1 GB (default)

1 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table A-7 ASA 5550 Adaptive Security Appliance License Features 

ASA 5550	Base License
Users, concurrent	Unlimited
Security Contexts	2	Optional licenses:
		5	10	20	50
VPN Sessions1	5000 combined IPSec and Clientless SSL VPN
Max. IPSec Sessions	5000
Max. Clientless SSL VPN Sessions	2	Optional Licenses:
		10	25	50	100	250	500	750	1000	2500	5000
VPN Load Balancing	Supported
TLS Proxy for SIP and Skinny Inspection	Supported
Failover	Active/Standby or Active/Active
GTP/GPRS	None		Optional license: Enabled
Max. VLANs	250
Concurrent Firewall Conns2	650 K
Max. Physical Interfaces	Unlimited
Encryption	Base (DES)		Optional license: Strong (3DES/AES)
Min. RAM	4 GB (default)

1 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table A-8 PIX 515/515E Security Appliance License Features 

PIX 515/515E	R (Restricted)			UR (Unrestricted)						FO (Failover)1						FO-AA (Failover Active/Active)1
Users, concurrent	Unlimited			Unlimited						Unlimited						Unlimited
Security Contexts	No support			2	Optional license: 5					2	Optional license: 5					2	Optional license: 5
IPSec Sessions	2000			2000						2000						2000
Clientless SSL VPN Sessions	No support			No support						No support						No support
VPN Load Balancing	No support			No support						No support						No support
TLS Proxy for SIP and Skinny Inspection	No support			No support						No support						No support
Failover	No support			Active/Standby Active/Active						Active/Standby						Active/Standby Active/Active
GTP/GPRS	None	Optional license: Enabled		None		Optional license: Enabled				None		Optional license: Enabled				None		Optional license: Enabled
Max. VLANs	10			25						25						25
Concurrent Firewall Conns2	48 K			130 K						130 K						130 K
Max. Physical Interfaces	3			6						6						6
Encryption	None	Optional licenses:		None		Optional licenses:				None		Optional licenses:				None		Optional licenses:
		Base (DES)	Strong (3DES/ AES)			Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)
Min. RAM	64 MB (default)			128 MB						128 MB						128 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table A-9 PIX 525 Security Appliance License Features 

PIX 525	R (Restricted)			UR (Unrestricted)						FO (Failover)1						FO-AA (Failover Active/Active)1
Users, concurrent	Unlimited			Unlimited						Unlimited						Unlimited
Security Contexts	No support			2	Optional licenses:					2	Optional licenses:					2	Optional licenses:
					5	10	20	50			5	10	20	50			5	10	20	50
IPSec Sessions	2000			2000						2000						2000
Clientless SSL VPN Sessions	No support			No support						No support						No support
VPN Load Balancing	No support			No support						No support						No support
TLS Proxy for SIP and Skinny Inspection	No support			No support						No support						No support
Failover	No support			Active/Standby Active/Active						Active/Standby						Active/Standby Active/Active
GTP/GPRS	None	Optional license: Enabled		None		Optional license: Enabled				None		Optional license: Enabled				None		Optional license: Enabled
Max. VLANs	25			100						100						100
Concurrent Firewall Conns2	140 K			280 K						280 K						280 K
Max. Physical Interfaces	6			10						10						10
Encryption	None	Optional licenses:		None		Optional licenses:				None		Optional licenses:				None		Optional licenses:
		Base (DES)	Strong (3DES/ AES)			Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)
Min. RAM	128 MB (default)			256 MB						256 MB						256 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Table A-10 PIX 535 Security Appliance License Features 

PIX 535	R (Restricted)			UR (Unrestricted)						FO (Failover)1						FO-AA (Failover Active/Active)1
Users, concurrent	Unlimited			Unlimited						Unlimited						Unlimited
Security Contexts	No support			2	Optional licenses:					2	Optional licenses:					2	Optional licenses:
					5	10	20	50			5	10	20	50			5	10	20	50
IPSec Sessions	2000			2000						2000						2000
Clientless SSL VPN Sessions	No support			No support						No support						No support
VPN Load Balancing	No support			No support						No support						No support
TLS Proxy for SIP and Skinny Inspection	No support			No support						No support						No support
Failover	No support			Active/Standby Active/Active						Active/Standby						Active/Standby Active/Active
GTP/GPRS	None	Optional license: Enabled		None		Optional license: Enabled				None		Optional license: Enabled				None		Optional license: Enabled
Max. VLANs	50			150						150						150
Concurrent Firewall Conns2	250 K			500 K						500 K						500 K
Max. Physical Interfaces	8			14						14						14
Encryption	None	Optional licenses:		None		Optional licenses:				None		Optional licenses:				None		Optional licenses:
		Base (DES)	Strong (3DES/ AES)			Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)				Base (DES)		Strong (3DES/ AES)
Min. RAM	512 MB (default)			1024 MB						1024 MB						1024 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.

Security Services Module Support

Table A-11 shows the SSMs supported by each platform:

Table A-11 SSM Support 

Platform	SSM Models
ASA 5505	No support
ASA 5510	AIP SSM 10 CSC SSM 10 CSC SSM 20 4GE SSM
ASA 5520	AIP SSM 10 AIP SSM 20 CSC SSM 10 CSC SSM 20 4GE SSM
ASA 5540	AIP SSM 10 AIP SSM 20 CSC SSM 101 CSC SSM 201 4GE SSM
ASA 5550	No support (4GE SSM is built-in and not user-removable)
PIX 515/515E	No support
PIX 525	No support
PIX 535	No support

1 The CSC SSM licenses support up to 1000 users while the Cisco ASA 5540 Series appliance can support significantly more users. If you deploy CSC SSM with an ASA 5540 adaptive security appliance, be sure to configure the security appliance to send the CSC SSM only the traffic that should be scanned.

VPN Specifications

This section describes the VPN specifications for the security appliance. This section includes the following topics:

•Cisco VPN Client Support

•Cisco Secure Desktop Support

•Site-to-Site VPN Compatibility

•Cryptographic Standards

Cisco VPN Client Support

The security appliance supports a wide variety of software and hardware-based Cisco VPN clients, as shown in Table A-12.

Table A-12 Cisco VPN Client Support 

Client Type	Client Versions
SSL VPN clients	Cisco SSL VPN client, Version 1.1 or higher
Software IPSec VPN clients	Cisco VPN client for Windows, Version 3.6 or higher Cisco VPN client for Linux, Version 3.6 or higher Cisco VPN client for Solaris, Version 3.6 or higher Cisco VPN client for Mac OS X, Version 3.6 or higher
Hardware IPSec VPN clients (Cisco Easy VPN remote)	Cisco VPN 3002 hardware client, Version 3.0 or higher Cisco IOS Software Easy VPN remote, Release 12.2(8)YJ Cisco PIX 500 series security appliance, Version 6.2 or higher Cisco ASA 5500 series adaptive security appliance, Version 7.0 or higher

Cisco Secure Desktop Support

The security appliance supports CSD software Version 3.1.1.16.

Site-to-Site VPN Compatibility

In addition to providing interoperability for many third-party VPN products, the security appliance interoperates with the Cisco VPN products for site-to-site VPN connectivity shown in Table A-13.

Table A-13 Site-to-Site VPN Compatibility 

Platforms	Software Versions
Cisco ASA 5500 series adaptive security appliances	Version 7.0(1) or higher
Cisco IOS routers	Release 12.1(6)T or higher
Cisco PIX 500 series security appliances	Version 5.1(1) or higher
Cisco VPN 3000 series concentrators	Version 3.6(1) or higher

Cryptographic Standards

The security appliance supports numerous cryptographic standards and related third-party products and services, including those shown in Table A-14.

Table A-14 Cryptographic Standards 

Type	Description
Asymmetric (public key) encryption algorithms	RSA public/private key pairs, 512 bits to 4096 bits DSA public/private key pairs, 512 bits to 1024 bits
Symmetric encryption algorithms	AES—128, 192, and 256 bits DES—56 bits 3DES—168 bits RC4—40, 56, 64, and 128 bits
Perfect forward secrecy (Diffie-Hellman key negotiation)	Group 1— 768 bits Group 2—1024 bits Group 5— 1536 bits Group 7—163 bits (Elliptic Curve Diffie-Hellman)
Hash algorithms	MD5—128 bits SHA-1—160 bits
X.509 certificate authorities	Cisco IOS software Baltimore UniCERT Entrust Authority iPlanet CMS Microsoft Certificate Services RSA Keon VeriSign OnSite
X.509 certificate enrollment methods	SCEP PKCS #7 and #10